Michael StrÃder wrote:
Michael StrÃder wrote:Arthur de Jong wrote:Since you cannot do joins in LDAP, every group with member attributes such as cn=Joe,ou=People,dc=... will require another lookup per member to find the username (uid attribute).This very much depends on the implementation of the NSS provider. AFAIK sssd simply searches all posixAccount and posixGroup entries and resolves group membership internally from the local sssd cache database. If a NSS provider does not support something similar it should be expanded to do so or one should not use it at all.Furthermore there's slapo-deref which seems to work. The client control can be used to retrieve all the 'uid' values in member entries. The NSS provider has to extract the 'uid' values from the response control value. See https://tools.ietf.org/html/draft-masarati-ldap-deref
Was going to reply but Michael beat me to it. Reiterating all the points Michael made. There is no good reason to use memberUid or uniqueMember in LDAP, both of these schema elements are deeply flawed.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/